Service Provider. Background Versions 1.2 1.3 (since July ‘05) 2.0 (beta expected May ‘06)

Slides:

Advertisements

Similar presentations

Single Sign-On with GRID Certificates Ernest Artiaga (CERN – IT) GridPP 7 th Collaboration Meeting July 2003 July 2003.

Advertisements

Shibboleth 2.0 and Beyond Chad La Joie Georgetown University Internet2.

ELAG Trondheim Distributed Access Control - BIBSYS and the FEIDE solution Sigbjørn Holmslet, BIBSYS, Norway Ingrid Melve, UNINET, Norway.

Introduction to Identity Management Federation Kazu Yamaji, National Institute of Informatics, Japan.

Shibboleth at Newcastle Caleb Racey Webteam ISS Shibboleth experiences Program  Background  What shib has enabled  Benefits of shib  How to do shib.

Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (

UC Irvine’s Pre-Shib Attribute Setup PH / QI Directory Provides Authoritative Attribute Store –Had both Faculty / Staff and Student Information UCI’s Campus.

CUWebAuth Technical Presentation Pete Bosanko Identity Management Team.

TLS/SSL Review. Transport Layer Security A 30-second history Secure Sockets Layer was developed by Netscape in 1994 as a protocol which permitted persistent.

Shibboleth 2.0 : An Overview for Developers Scott Cantor The Ohio State University / Internet2 Scott Cantor The Ohio.

Shibboleth 2.0 IdP Training: Basics and Installation January, 2009.

August 25, SSO with Microsoft Active Directory Presented by: Craig Larrabee.

ARC312. Security Policy Governance Audit Reporting Analysis Data Quality Directory Logon Mobility Provisioning Development Access Control Authentication.

OUC204. Recently Announced… Identity Integration Options 2 3 Identity Management Overview 1.

(Duo) Multifactor at Carleton College work in progress Rich Graves

SWITCHaai Team Introduction to Shibboleth.

MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Four Configuring Outlook and Outlook Web Access.

An introduction to Apache. Different Types of Web Servers Apache is the default web server for may Unix servers. IIS is Microsoft’s default web server.

Shibboleth Possible Features – Version 2 Steve Carmody July 9, 2003 Steve Carmody July 9, 2003.

External Identity and Authorization in GENI. Topics Federated identity and virtual organizations ABAC Creating and transporting attributes.

Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®

TEIN Shibboleth Training Course Introduction to SAML/Shibboleth at ComLabs USDI ITB, (updated version)

TNC2004 Rhodes 1 Authentication and access control in Sympa mailing list manager Serge Aumont & Olivier Salaün May 2004.

1 Apache. 2 Module - Apache ♦ Overview This module focuses on configuring and customizing Apache web server. Apache is a commonly used Hypertext Transfer.

PAPI Points of Access to Providers of Information.

Shibboleth: Installation and Deployment Scott Cantor July 29, 2002 Scott Cantor July 29, 2002.

MMS DresdenGermany – Dresden - Slide N°1Adolf Liepelt Final Project Review Newcastle upon Tyne, April 19, 2004 AESOP Platform.

Apache HTTP mod_ftp William A. Rowe, Jr. ASF Member, httpd and APR projects Sr. Software Engineer, Covalent Technologies.

GridShib: Grid/Shibboleth Interoperability September 14, 2006 Washington, DC Tom Barton, Tim Freeman, Kate Keahey, Raj Kettimuthu, Tom Scavo, Frank Siebenlist,

Shibboleth for Real Dave Kennedy

Internet2 CAMP Shibboleth Scott Cantor (Hey, that’s my EPPN too.) Tom Dopirak Scott Cantor (Hey, that’s my.

Shibboleth 2.0 IdP Training: Authentication January, 2009.

Apache Security Travis Jeffries. Introduction Authentication and Authorization Strict Access Methods Defending against Attacks Bad CGI Programs Apache.

Shibboleth at the U of M Christopher A. Bongaarts code-people June 2, 2011.

Openness and Extending Blackboard Software Asbed Bedrossian Otto Khera USC.

Paul Andrew. Recently Announced… Identity Integration Options 2 3 Identity Management Overview 1.

Browser User Certificate Mail Box VOMS-Admin Host Tomcat TR1) Users Trusts “VOMS-Admin” server identity. step1 TR2) User Trusts data (Data1, HTML response)

Shibboleth for Local Attribute Delivery 21 June 2007.

Federated Identity and Shibboleth Concepts Rick Summerhill Chief Technology Officer Internet2 GEC3 October 29, 2008 Slides by Nate Klingenstein

Internet2 Middleware Initiative Shibboleth Ren é e Shuey Systems Engineer I Academic Services & Emerging Technologies The Pennsylvania State University.

Shibboleth and IIS Integration Tips, Tricks, Alternatives

US of A and A Activities Ken Klingenstein, Director Internet2 Middleware Initiative.

Shibboleth: Status and Pilots. The Golden Age of Plywood.

Shibboleth: Installation and Deployment Scott Cantor July 29, 2002 Scott Cantor July 29, 2002.

Technical Topics for Deployed Campuses: Web SSO Will Norris University of Southern California.

Web Services Tiered Internet Authorization (WSTIERIA) 21 June 2011 Fiona Culloch

Shibboleth at the U of M Christopher A. Bongaarts net-people March 10, 2011.

Shibboleth at USMAI David Kennedy Spring 2006 Internet2 Member Meeting, April 24-26, 2006 – Arlington, VA.

IPT – Getting Started June Online Resources Project Website Requirements Server Preparation Installation Running IPT Installation Demo Upgrade/Reinstall.

Opening Up OpenStack’s Identity Service David W Chadwick, Ioram S Sette, Kristy W Siu.

Shibboleth at USMAI David Kennedy Spring 2006 Internet2 Member Meeting, April 24-26, 2006 – Arlington, VA.

Shibboleth Working Group, Fall 2010 Scott Cantor, OSU Chad LaJoie, Itumi, LLC.

Oracle Virtual Directory

Enabling the Modern Workstyle with Windows 10 & Azure Active Directory Venkatesh Gopalakrishnan 2016 Redmond Summit | Identity Without Boundaries May 25,

Federated Access to Storage EGI CF 2012 Luke Howard, Daniel Kouril, Michal Prochazka.

Authentication & Authorisation Is the user allowed to access the site?

IT Services Shibboleth Single Sign-On overview. Overview What/where/why? The UK-Federation/Registration Terminology Configuration Protecting Content Benefits.

October 2014 HYBRIS ARCHITECTURE & TECHNOLOGY 01 OVERVIEW.

Open OnDemand: 1.0, Jupyter, App Development, & Authentication

SharePoint Authentication and Authorization

Shibboleth and eLibrary

David Millman—Columbia January 2005

LIGO Identity and Access Management

Federation Systems, ADFS, & Shibboleth 2.0

John O’Keefe Director of Academic Technology & Network Services

Identity Federations - Installation and operation

Implement Web Application Proxy (WAP)

9/8/ :03 PM © 2006 Microsoft Corporation. All rights reserved.

Presentation transcript:

Service Provider

Background

Versions (since July ‘05) 2.0 (beta expected May ‘06)

Platform cross-platform C++ Microsoft ISS via ISAPI Apache httpd 1.3 & 2.0 Java shib 2.0

Service Provider shibd apache mod_shib Identity Provider

Building it

Binaries Redhat RPMs since 1.3 much easier (if suitable) l l

Documentation Dropped from shib docs as of 1.3 in favour of wiki......but partially missing from wiki select “Shibboleth Web”

Install guide Not part of our original project plan......but in draft.

Dependencies: easy apxs (apache-dev) libssl-dev libcurl-dev Should be available with your O/S

Dependencies: intermediate opensaml libxml-security-c

Dependencies: harder xerces-c via Internet2, bug in upstream log4cpp via Internet2, project in limbo

Other bits Service (/etc/init.d) script steal from the redhat packages if your init.d works the same

First go Hello world local to apache server no internal Auth{N/Z} notion

example

First go set wayfURL to your local IDP self-signed certificates logout?

Authorization

access control by the server by the application by a framework

application-managed

server-managed apache httpd.conf /.htaccess files shibboleth 1.3b XML-based

apache-based Require entity-name [entity-name]

shibboleth-based relatively new, added in 1.3b performance questions

urn:mace:example.edu:exampleEntitlement

dealing with walk-ins “kiosk”-types, e.g. library terminals mod_auth_location on/module.html on/module.html

framework-managed Java AuthN & AuthZ Services (JAAS) Active Directory Federated Services (ADFS) covered later

Use Cases

A real service a local app with internal user auth{N/Z} hack in “trusting” an environment variable e.g. $REMOTE_USER on-the-fly account creation deletion? logout?

Example: sympa mailing list manager attributes via environment variables app-configurable mapping authorization handled by apache a canonical URL defined by sympa

Sympa’s logout two-stage login: authenticated by shibboleth explicitly asked to be “logged in” (demo)

external services shibboleth/apache front-end “black-box” back-end e.g. proxying (via mod_proxy) or fastCGI

Service Provider shibd apache mod_shib Identity Provider

back-endfront-end apache mod_shib shibd mod_proxy Identity Provider

mod_proxy front-end ProxyPass /jon ProxyPassReverse /jon AuthType shibboleth ShibRequireSession on Require valid-user

On the back-end Order deny,allow Deny from all Allow from shib-front-end.ncl.ac.uk

Shortcomings IP spoofing on the back-end cookie scope certificate scope

example again